Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make route scopes configurable #212

Open
5 tasks
asadeg02 opened this issue May 19, 2020 · 0 comments
Open
5 tasks

Make route scopes configurable #212

asadeg02 opened this issue May 19, 2020 · 0 comments
Assignees
@ltann
Labels
Intern new feature

Comments

@asadeg02
Copy link
Member

asadeg02 commented May 19, 2020
edited
Loading

Context

Scopes in hapi allow you to apply access restriction on individual routes. It’s a two step procedure where you need to 1-define a scope property on a route and 2-another scope property within the authenticated user credentials. Both scope properties are evaluated against each other.
To determine if a request is allowed to access the resource, hapi evaluates the required scope defined within config.auth.scope against the scope property defined within request.auth.credentials.

The purpose of this task is to refactor how we have done the first step mentioned above and provide the developers using anchor with an easy way to update the route scopes based on the context in which anchor is being used without having to modify multiple parts of the code.
This task is related to #211.

Current behavior

Right now whenever we add a route, we have the option of assigning an array of string values to the scope property in the auth config of routes for restricting the access to this route.(one or all of the strings in ['root', 'admin', 'researcher', 'clinician', 'analyst'].
If we update the valid user roles/scopes (see #211) due to the application requirements, there is no easy way to update the route scopes and we have to look back and update all the routes scopes in api and web directory manually which is error prone and cumbersome.
The idea is to create a work flow for making dynamic updates on the route scopes.

Expected Behavior

Since after registering routes with server instance, There is no way to update the route scope so the only way to make dynamic updates on the route scopes possible is to to have a separate config file for route permissions with route path as the key and their corresponding scopes as the values. This way, when defining routes, we assign values to the scope property in the auth config of routes from the this config file.
We also want to be able to keep track of our routes permission separately in a table in the database and be able to update both the table and permission config file easily though the UI.
anchor

Steps

  • 1- we have to change the scope property in auth config of all the routes as follows:
    pc

  • 2- Implement a function for creating or updating the permission config file as follows.
    After registering routes with the server, we update the permissions config file (or create it in case it doesn’t already exist) by looking at the permission table in the database. If such a table exists in the database, we get the scope values from this table but if such table doesn’t exist, We look at the server route table (using server.table()) and we create a key with each route’s path in the config file and if the registered routes already have a scope we put this scope as the value in this config file and if they don’t have a scope we assign the default value to each route. Default value for the scope is set of all possible permission strings. (in Anchor original example default value would be [‘root’, ‘admin’ ,’researcher’, ‘analyst’,’ clinician‘] but since this task is supposed to happen after Assign customized roles(scopes) with different permission levels to users #211, the default value for routes scopes is going to be picked up from the 'roles' property in config object in config.js file.
    In the first round, permission config file would be a separate file from the general config file( config.js ) in a simple json format and the reason is to be able to update permission config file easier in the code but it might be a another enhancement task to see how we can integrate route permission configs into general config file, config.js.
    This function should be called inside server.js file and after registering our routes with the server.

  • 3- We need to create UI Components(handlebar templates), Permissions table in the database to give the user the ability to change the permission on the UI and then update the permission table and api routes for performing CRUD operation on the permission table. The use of permission table is to have a more persistent way to store the route permissions but every time after updating the the permission table, we need to also update the permissions config file as this is from where the scope of routes can get updated.

  • 4- Implement a function for updating permission config file, to be called right after permission table in the database gets updated through the UI and then scope of routes (which are getting their scopes from permission config file) will be updated automatically.

  • 5- Create unit tests for newly added functionalities regarding permission model and api.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ltann ltann

Labels
Intern new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asadeg02 @ltann